MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b
SHA3-384 hash: 452d4147d9b852a3c5a8e73518fc5a647e4169c060df97ecf13fab184af645ad2bf54bd470b9705695fe73b52bfa4d3d
SHA1 hash: ebbd388008a94ec8a20724ea4f6ee48bfc93e238
MD5 hash: fd4a1db355d38e4ea9152b5633c7e5d0
humanhash: robin-diet-eight-mockingbird
File name:82105269.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'079'808 bytes
First seen:2022-11-22 13:32:26 UTC
Last seen:2022-11-23 06:58:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:P1u4PpqsaMFOxrq5h0BfrV2rCdArKPwvOBBqdO:P3PpZgq56TV2ruDnBqdO
Threatray 22'278 similar samples on MalwareBazaar
TLSH T15E357BCB1F310E84CB4E34715C8D1B8855923DA149F59CF32B75AB782E468EFA69227C
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:AgentTesla exe Maersk

Intelligence

File Origin
# of uploads :
7
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
82105269.exe
Verdict:
Malicious activity
Analysis date:
2022-11-22 13:32:55 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/54b83a36-4903-4253-bc8c-2f0debbaafdf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337223/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.389-2.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637ccf8f903ba0eaf36d0329/reports/ae47ee5f-69fd-44fd-9f4a-fa421c69ed40/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d28ddee9-e54d-450e-aa9d-480f364a4b5d
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118932
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751649 Sample: 82105269.exe Startdate: 22/11/2022 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Sigma detected: Scheduled temp file as task from temp location 2->68 70 7 other signatures 2->70 7 82105269.exe 7 2->7         started        11 mynJKXltwPj.exe 5 2->11         started        13 MYAPP.exe 2 2->13         started        15 MYAPP.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\...\mynJKXltwPj.exe, PE32 7->44 dropped 46 C:\Users\...\mynJKXltwPj.exe:Zone.Identifier, ASCII 7->46 dropped 48 C:\Users\user\AppData\Local\...\tmp25B8.tmp, XML 7->48 dropped 50 C:\Users\user\AppData\...\82105269.exe.log, ASCII 7->50 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 7->88 90 Writes to foreign memory regions 7->90 92 Adds a directory exclusion to Windows Defender 7->92 17 RegSvcs.exe 17 5 7->17         started        22 RegSvcs.exe 7->22         started        24 powershell.exe 17 7->24         started        26 schtasks.exe 1 7->26         started        94 Multi AV Scanner detection for dropped file 11->94 96 Machine Learning detection for dropped file 11->96 98 Injects a PE file into a foreign processes 11->98 28 RegSvcs.exe 11->28         started        30 schtasks.exe 11->30         started        100 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->100 32 conhost.exe 13->32         started        34 conhost.exe 15->34         started        signatures5 process6 dnsIp7 52 jackbarber.com 138.128.163.242, 49706, 49713, 587 DIMENOCUS United States 17->52 54 mail.jackbarber.com 17->54 62 3 other IPs or domains 17->62 42 C:\Users\user\AppData\Roaming\...\MYAPP.exe, PE32 17->42 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->74 76 May check the online IP address of the machine 22->76 78 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->78 36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        56 mail.jackbarber.com 28->56 58 54.91.59.199, 443, 49711 AMAZON-AESUS United States 28->58 60 api.ipify.org 28->60 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->80 82 Tries to steal Mail credentials (via file / registry access) 28->82 84 Tries to harvest and steal ftp login credentials 28->84 86 Tries to harvest and steal browser information (history, passwords, etc) 28->86 40 conhost.exe 30->40         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 12:41:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2advlcjle7vfmhas5pz46nu4ibixofjklbxhkykm76uszyhmuefq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4060ca25ee645493d07079398edda938c6d2765348874fe5359f6a2b556f6799
AgentTesla
5b03580eb279892ac9a03742ea838ffc55bfde4c4a1edf66a03cceec400c81e2
AgentTesla
663796a5ce4127446f60d77bca21aee44037d4c0eaf3b14449f4a54ecb359428
AgentTesla
7a7f48a5a8c241f21b74550d56f6de96746999fa79bc8794363e23c3ea16b4dd
AgentTesla
7b4a943768c56d1e3080122f60e995e1b22de4dfbb8c806d583adaa21e0de66b
AgentTesla
81f5eecb34f22bd640cee738295303153d9afda2a35e365d061d058fbbfed498
AgentTesla
9b2c7ebecd82b2543c3f3a175a7fe37350277b6cb5f9481dded11e34a51ca4bd
AgentTesla
c4219d6731e844fe6583905d041a827bad32cfe74fabcd6bf544a52b6358320d
AgentTesla
de21a9c1a04520a1d28a1d7a75e50c6520541ca94b7e64b4da62e35bea64fc2a
AgentTesla
+ 22'268 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/221122-qthnrseb48/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
3c991a72c8e047741d335988afa4abdce606075f3dcc82ed1567c5d583a8edc1
MD5 hash:
4232101413dc24d4c6a68f9be716daa2
SHA1 hash:
f4d118c377b5d64d535089e6750123f6f768379f
Link:
https://www.unpac.me/results/70d56a2a-ce79-4d6e-805d-e75415b130b5/
SH256 hash:
0a8c55b9aeb5d60228d0bf7811f22c09370659ee80160f5b097245c81f2b4b51
MD5 hash:
f81d922a9dfc8fd9cc9d987455aa99ce
SHA1 hash:
a0c3d5b565cb9ddc1e424ac4e3208db74e9eeb76
Link:
https://www.unpac.me/results/70d56a2a-ce79-4d6e-805d-e75415b130b5/
SH256 hash:
50ad8c1b0c7e88b0ed950719f1a8dfdc199d5a19b4059f90a371ab5b9d7158e0
MD5 hash:
e08643046755467a0ea3c2153ef1b167
SHA1 hash:
80f578d3f6d243efc33236d97140c18e81904648
Detections:
AgentTesla
Create hunting rule
Link:
https://www.unpac.me/results/70d56a2a-ce79-4d6e-805d-e75415b130b5/
Parent samples :
024ba3ede81d9ab14c13dc286cb2492cbcda7640d69bb9dc74f901e8217907b2
c8676f5a35ecf028d928368d10e861e4c6e803438861ebf02e7256a6f9bb497b
d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/70d56a2a-ce79-4d6e-805d-e75415b130b5/
SH256 hash:
032370773c924bc9b86549b51df963ae182e2f12e7345ab7a62d28a34558a24e
MD5 hash:
d2d3f799013ef86b7cdecc91b68a2a19
SHA1 hash:
227ca676ca8a7d1b83b09fdb80da4703387dee77
Link:
https://www.unpac.me/results/70d56a2a-ce79-4d6e-805d-e75415b130b5/
SH256 hash:
d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b
MD5 hash:
fd4a1db355d38e4ea9152b5633c7e5d0
SHA1 hash:
ebbd388008a94ec8a20724ea4f6ee48bfc93e238
Link:
https://www.unpac.me/results/70d56a2a-ce79-4d6e-805d-e75415b130b5/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d00755892b27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 10bd6c6778222a583c8b6022092b1d654a69a2cfbd89f4fa8a1127c547989a33

AgentTesla

Executable exe d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 10bd6c6778222a583c8b6022092b1d654a69a2cfbd89f4fa8a1127c547989a33
Cape
Cape
https://www.capesandbox.com/analysis/337223/
  
Dropped by
MD5 5aae6e2b1e06b4467e6b26b3fe228dcf

Comments